W3C home > Mailing lists > Public > public-device-apis@w3.org > July 2010

Re: JavaScript Permissions interface in WebApps

From: John Morris <jmorris@cdt.org>
Date: Fri, 2 Jul 2010 15:34:56 -0400
Cc: W3C Device APIs and Policy WG <public-device-apis@w3.org>
Message-Id: <192078CA-CAA3-4720-BF55-6689E95EB1DD@cdt.org>
To: Andrei Popescu <andreip@google.com>
Andrei,

On Jul 2, 2010, at 1:05 PM, Andrei Popescu wrote:

> Hi John,
>
....

>> I make these points simply to assert that the fact that the  
>> Geolocation WG
>> "talked to death" the idea of taking action to protect privacy (and  
>> rejected
>> that idea) is not evidence that such action should be rejected today.
>
> But the Geolocation WG did not reject the idea of taking action to
> protect privacy. I think it is regrettable to make such a statement.
>
> We simply rejected the idea of adding privacy attributes to the API
> and presented convincing reasons why we thought it was not protecting
> any privacy. Meanwhile, as far as I know, no new evidence was brought
> to this debate so the reasons we had to reject the idea back then are
> still valid today.

It may be semantics, but I think it is precisely accurate to say that  
the WG declined to take action to protect privacy - at least if action  
means (as I intended) actually doing something to design the API  
itself to address privacy.  What the WG did was to simply perpetuate  
the old, broken model of privacy on the web, in which websites set the  
rules and the user has no ability to control their information.   
Although the privacy exhortations in the Geolocation API spec are  
quite strong - and we greatly appreciate that strong language - the  
spec contains only exhortations.

As you know, I think the conclusions that the WG reached were wrong at  
the time, and so even if "no new evidence" emerged since then I would  
still think that DAP should go back to consider the issues (especially  
since, unlike Geolocation, DAP is not limited to a pre-existing API).   
But there is in fact significant new evidence - evidence that shows  
that website implementers/users of the Geolocation API are rampantly  
ignoring privacy and giving users very little notice and no  
significant control.  In other words, the precise bad results that we  
predicted two years ago have come to pass.  So I think there is ample  
"new evidence" that suggests the DAP group should take a new look at  
the issues.  I urge you and the other browser makers to actively  
participate in those efforts.

John
Received on Friday, 2 July 2010 19:35:36 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:53:45 UTC